Closed paragonie-security closed 2 years ago
I'm leaning towards deprecating my version entirely. This issue is handled in https://github.com/dajiaji/pyseto , which also supports the newer versions and is seeing active development.
I'm going to make an attempt this weekend of adding v3 and v4 support, listing v2 as deprecated, and adding the breaking change of requiring typed keys.
Okay. Let us know if we can help.
I've added support for this to a work-in-progress branch for adding v3 and v4 support. It needs a fair amount of work, but it is passing the vector tests so far.
I think when this is released, I'll bump up to version 1.0.0. The only breaking change with the current release is that it requires the key property to be an object instead of a byte string.
Link to PR here: https://github.com/rlittlefield/pypaseto/pull/19
This has been done in version 1.0.0. I'll see about adding paserk support soon to make this work well for serialized keys too.
https://github.com/rlittlefield/pypaseto/blob/926d84e4dc16dd7ec02b4b51cbed365a74828679/paseto.py#L52-L58
https://github.com/rlittlefield/pypaseto/blob/926d84e4dc16dd7ec02b4b51cbed365a74828679/paseto.py#L116
See https://github.com/paseto-standard/paseto-spec/blob/master/docs/02-Implementation-Guide/03-Algorithm-Lucidity.md
Right now, byte arrays are accepted by this API. There's no mechanism to prevent a user from using a v2 public key as a v2 local key.